Interpreting “Personal Data” and “Business Contact Data” under GDPR

Imagine you have constructed a house and let Mr X live there and use the address for his activities for which you have authorized him to.

Does the house belong to you or Mr X?

When Mr X’s authorization to use the house ends, can he keep the house to himself? Can he ask you to demolish the house?, Can he take away the things in the house… both what he himself had bought while he was in service and what you had given him for use? or what you and him together created?

This is precisely the status of a Business E Mail Address that an employer gives to its employee and he uses it for his employment related communication which is called the “Business Contacat Address”.

Now GDPR has a set of prescriptions that apply to Personal Information that is identifiable with a living person. It is interesting therefore to discuss if the “Business Contact Data” is “Personal Information” and is subject to GDPR compliance.

GDPR uses certain terms a bit carelessly creating confusion on the interpretation of some terms. The “PII or Personally Identified Information” is one such term which needs to be distinguished with “PI or Personal Information” but GDPR gives room to interpret the two words as not much different though they should be considered different.

There is no doubt that Business Contact data is “Personally Identifiable” and hence some interpret it as “Personal Information” to be subjected to the regulations.

But if we look at the basic objective of GDPR as defined in Article 1, it is clear that the regulation is meant to protect the personal information of a EU data subject since it is considered important for Privacy Right protection.

But under Article 4(1), “Personal data” is defined as  “any information relating to an identified or identifiable natural person”.

If we look at the basic objective of GDPR along with the example of the rented premises given above, it is clear that GDPR should not interpret the Business Contact Data as “Personal Information” since it is a virtual property that belongs to the employer and not the employee. Being a property of a company, created and used for the use of the Company’s business, it does make sense in considering that Business Contact data such as the E-Mail of an employee as Personal Data.

I hope this would be acceptable to a majority of the companies though some consultants may have  hesitation in accepting this interpretation.

Perhaps over time, this concept will get some clarity in the minds of the users and it would be accepted that Business Contact Data used by B2B business entities remain outside the GDPR.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.